8493fb18ae
The `--rootless` flag had a couple of issues:
* #38702: euid=0, $USER="root" but no access to cgroup ("rootful" Docker in rootless Docker)
* #39009: euid=0 but $USER="docker" (rootful boot2docker)
To fix #38702, XDG dirs are ignored as in rootful Docker, unless the
dockerd is directly running under RootlessKit namespaces.
RootlessKit detection is implemented by checking whether `$ROOTLESSKIT_STATE_DIR` is set.
To fix #39009, the non-robust `$USER` check is now completely removed.
The entire logic can be illustrated as follows:
```
withRootlessKit := getenv("ROOTLESSKIT_STATE_DIR")
rootlessMode := withRootlessKit || cliFlag("--rootless")
honorXDG := withRootlessKit
useRootlessKitDockerProxy := withRootlessKit
removeCgroupSpec := rootlessMode
adjustOOMScoreAdj := rootlessMode
```
Close #39024
Fix #38702 #39009
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 3518383ed9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
3.7 KiB
Rootless mode (Experimental)
The rootless mode allows running dockerd as an unprivileged user, using user_namespaces(7), mount_namespaces(7), network_namespaces(7).
No SETUID/SETCAP binary is required except newuidmap and newgidmap.
Requirements
-
newuidmapandnewgidmapneed to be installed on the host. These commands are provided by theuidmappackage on most distros. -
/etc/subuidand/etc/subgidshould contain >= 65536 sub-IDs. e.g.penguin:231072:65536.
$ id -u
1001
$ whoami
penguin
$ grep ^$(whoami): /etc/subuid
penguin:231072:65536
$ grep ^$(whoami): /etc/subgid
penguin:231072:65536
Distribution-specific hint
Debian (excluding Ubuntu)
sudo sh -c "echo 1 > /proc/sys/kernel/unprivileged_userns_clone"is required
Arch Linux
sudo sh -c "echo 1 > /proc/sys/kernel/unprivileged_userns_clone"is required
openSUSE
sudo modprobe ip_tables iptable_mangle iptable_nat iptable_filteris required. (This is likely to be required on other distros as well)
RHEL/CentOS 7
sudo sh -c "echo 28633 > /proc/sys/user/max_user_namespaces"is required- COPR package
vbatts/shadow-utils-newxidmapneeds to be installed
Restrictions
- Only
vfsgraphdriver is supported. However, on Ubuntu and a few distros,overlay2andoverlayare also supported. - Following features are not supported:
- Cgroups (including
docker top, which depends on the cgroups device controller) - Apparmor
- Checkpoint
- Overlay network
- Exposing SCTP ports
- Cgroups (including
- To expose a TCP/UDP port, the host port number needs to be set to >= 1024.
Usage
Daemon
You need to run dockerd-rootless.sh instead of dockerd.
$ dockerd-rootless.sh --experimental
As Rootless mode is experimental per se, currently you always need to run dockerd-rootless.sh with --experimental.
Remarks:
- The socket path is set to
$XDG_RUNTIME_DIR/docker.sockby default.$XDG_RUNTIME_DIRis typically set to/run/user/$UID. - The data dir is set to
~/.local/share/dockerby default. - The exec dir is set to
$XDG_RUNTIME_DIR/dockerby default. - The daemon config dir is set to
~/.config/docker(not~/.docker, which is used by the client) by default. - The
dockerd-rootless.shscript executesdockerdin its own user, mount, and network namespaces. You can enter the namespaces by runningnsenter -U --preserve-credentials -n -m -t $(cat $XDG_RUNTIME_DIR/docker.pid).
Client
You can just use the upstream Docker client but you need to set the socket path explicitly.
$ docker -H unix://$XDG_RUNTIME_DIR/docker.sock run -d nginx
Routing ping packets
To route ping packets, you need to set up net.ipv4.ping_group_range properly as the root.
$ sudo sh -c "echo 0 2147483647 > /proc/sys/net/ipv4/ping_group_range"
Changing network stack
dockerd-rootless.sh uses slirp4netns (if installed) or VPNKit as the network stack by default.
These network stacks run in userspace and might have performance overhead. See RootlessKit documentation for further information.
Optionally, you can use lxc-user-nic instead for the best performance.
To use lxc-user-nic, you need to edit /etc/lxc/lxc-usernet and set $DOCKERD_ROOTLESS_ROOTLESSKIT_NET=lxc-user-nic.